Renamed playbooks based on new additions that were added.
This commit is contained in:
9b
Родитель
1f56566b6f
Коммит
8200703950
|
|
@ -0,0 +1,269 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
||||
"metadata": {
|
||||
"comments": "This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with recent passive DNS records.",
|
||||
"author": "Brandon Dixon, RiskIQ"
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Recent-Host-Passive-DNS",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
"defaultValue": "<username>@<domain>",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"RiskIQConnectionName": "[concat('riskiqintelligence-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('RiskIQConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"actions": {
|
||||
"Alert_-_Get_hosts": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['Entities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/host"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Create_CSV_table": {
|
||||
"inputs": {
|
||||
"columns": [
|
||||
{
|
||||
"header": " ",
|
||||
"value": "@item()"
|
||||
}
|
||||
],
|
||||
"format": "CSV",
|
||||
"from": "@variables('infra')"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Table"
|
||||
},
|
||||
"For_each": {
|
||||
"actions": {
|
||||
"For_each_5": {
|
||||
"actions": {
|
||||
"For_each_3": {
|
||||
"actions": {
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Append_to_array_variable": {
|
||||
"inputs": {
|
||||
"name": "infra",
|
||||
"value": "@items('For_each_3')"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"contains": [
|
||||
"@variables('infra')",
|
||||
"@items('For_each_3')"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"foreach": "@items('For_each_5')?['data']",
|
||||
"runAfter": {},
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Passive_DNS_results_by_name')?['records']",
|
||||
"runAfter": {
|
||||
"Passive_DNS_results_by_name": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Passive_DNS_results_by_name": {
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['riskiqintelligence']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/v0/pdns/name",
|
||||
"queries": {
|
||||
"lastSeenAfter": "@variables('last30')",
|
||||
"name": "@items('For_each')?['DnsDomain']",
|
||||
"type": "A"
|
||||
}
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
|
||||
"runAfter": {
|
||||
"Initialize_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"For_each_2": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V2)": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"Value": "Last 30-days of unique passive DNS records for @{items('For_each_2')?['DnsDomain']}\n@{body('Create_CSV_table')}\nExplore more at https://community.riskiq.com/search/@{items('For_each_2')?['DnsDomain']}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
|
||||
"runAfter": {
|
||||
"Create_CSV_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Initialize_variable": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "last30",
|
||||
"type": "string",
|
||||
"value": "@{formatDateTime(addDays(utcNow(), -30), 'yyyy-MM-dd')}"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_2": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_variable_2": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "infra",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Alert_-_Get_hosts": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
}
|
||||
},
|
||||
"contentVersion": "1.0.0.0",
|
||||
"outputs": {},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/subscribe"
|
||||
},
|
||||
"type": "ApiConnectionWebhook"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"riskiqintelligence": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"connectionName": "[variables('RiskIQConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}]
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# Enrich-SentinelIncident-RiskIQ-Host-Passive-DNS
|
||||
author: Brandon Dixon, RiskIQ
|
||||
|
||||
This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with recent passive DNS records. You need a valid subscription in order to use the connector and playbook. To learn more about the service and request a trial key, see the [API documentation](https://api.riskiq.net/api/concepts.html).
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
|
@ -0,0 +1,243 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
||||
"metadata": {
|
||||
"comments": "This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with associated SSL certificates.",
|
||||
"author": "Brandon Dixon, RiskIQ"
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Recent-Host-SSL-Certificate",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
"defaultValue": "<username>@<domain>",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"RiskIQConnectionName": "[concat('riskiqintelligence-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('RiskIQConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"actions": {
|
||||
"Alert_-_Get_hosts": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['Entities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/host"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Certificate_Holder": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "certs",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Alert_-_Get_hosts": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Create_CSV_table": {
|
||||
"inputs": {
|
||||
"columns": [
|
||||
{
|
||||
"header": " ",
|
||||
"value": "@item()"
|
||||
}
|
||||
],
|
||||
"format": "CSV",
|
||||
"from": "@variables('certs')"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_host": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Table"
|
||||
},
|
||||
"For_each_2": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V2)": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"Value": "Associated SSL certificates for @{items('For_each_2')?['DnsDomain']}\n@{body('Create_CSV_table')}\nExplore more at https://community.riskiq.com/search/@{items('For_each_2')?['DnsDomain']}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
|
||||
"runAfter": {
|
||||
"Create_CSV_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"For_each_host": {
|
||||
"actions": {
|
||||
"For_each": {
|
||||
"actions": {
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Append_to_array_variable": {
|
||||
"inputs": {
|
||||
"name": "certs",
|
||||
"value": "@item()['sha1']"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"contains": [
|
||||
"@variables('certs')",
|
||||
"@item()['sha1']"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Get_SSL_certificates_by_host_name')?['content']",
|
||||
"runAfter": {
|
||||
"Get_SSL_certificates_by_host_name": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Get_SSL_certificates_by_host_name": {
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['riskiqintelligence']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/v1/ssl/cert/host",
|
||||
"queries": {
|
||||
"host": "@items('For_each_host')?['DnsDomain']"
|
||||
}
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
|
||||
"runAfter": {
|
||||
"Certificate_Holder": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"contentVersion": "1.0.0.0",
|
||||
"outputs": {},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/subscribe"
|
||||
},
|
||||
"type": "ApiConnectionWebhook"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"riskiqintelligence": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"connectionName": "[variables('RiskIQConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}]
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# Enrich-SentinelIncident-RiskIQ-Host-SSL-Certificate
|
||||
author: Brandon Dixon, RiskIQ
|
||||
|
||||
This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with SSL certificates. You need a valid subscription in order to use the connector and playbook. To learn more about the service and request a trial key, see the [API documentation](https://api.riskiq.net/api/concepts.html).
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
|
@ -0,0 +1,172 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
||||
"metadata": {
|
||||
"comments": "This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with the current WHOIS record.",
|
||||
"author": "Brandon Dixon, RiskIQ"
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Recent-WHOIS",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
"defaultValue": "<username>@<domain>",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"RiskIQConnectionName": "[concat('riskiqintelligence-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('RiskIQConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"actions": {
|
||||
"Alert_-_Get_hosts": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['Entities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/host"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"For_each": {
|
||||
"actions": {
|
||||
"For_each_2": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V2)": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"Value": "Associated WHOIS record for @{items('For_each')?['DnsDomain']}:\n\nRegistrar: @{items('For_each_2')?['registrar']}\nRegistered: @{items('For_each_2')?['registered']}\nExpires: @{items('For_each_2')?['expiresAt']}\nContact: @{items('For_each_2')?['contactEmail']}\nNameservers: @{items('For_each_2')?['nameServers']}\n\nTo search on WHOIS data or view historic records, see https://community.riskiq.com/search/@{items('For_each')?['DnsDomain']}/whois"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Get_the_current_WHOIS_for_a_domain')?['domains']",
|
||||
"runAfter": {
|
||||
"Get_the_current_WHOIS_for_a_domain": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Get_the_current_WHOIS_for_a_domain": {
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['riskiqintelligence']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/v0/whois/domain",
|
||||
"queries": {
|
||||
"domain": "@items('For_each')?['DnsDomain']"
|
||||
}
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_hosts')?['Hosts']",
|
||||
"runAfter": {
|
||||
"Alert_-_Get_hosts": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"contentVersion": "1.0.0.0",
|
||||
"outputs": {},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/subscribe"
|
||||
},
|
||||
"type": "ApiConnectionWebhook"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"riskiqintelligence": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"connectionName": "[variables('RiskIQConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}]
|
||||
}
|
||||
|
|
@ -0,0 +1,261 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
||||
"metadata": {
|
||||
"comments": "This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with recent passive DNS records.",
|
||||
"author": "Brandon Dixon, RiskIQ"
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Recent-IP-Passive-DNS",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
"defaultValue": "<username>@<domain>",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"RiskIQConnectionName": "[concat('riskiqintelligence-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('RiskIQConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"actions": {
|
||||
"Alert_-_Get_IPs": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['Entities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/ip"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Create_CSV_table": {
|
||||
"inputs": {
|
||||
"columns": [
|
||||
{
|
||||
"header": " ",
|
||||
"value": "@item()"
|
||||
}
|
||||
],
|
||||
"format": "CSV",
|
||||
"from": "@variables('infra')"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Table"
|
||||
},
|
||||
"For_each": {
|
||||
"actions": {
|
||||
"For_each_5": {
|
||||
"actions": {
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Append_to_array_variable": {
|
||||
"inputs": {
|
||||
"name": "infra",
|
||||
"value": "@items('For_each_5')?['name']"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"contains": [
|
||||
"@variables('infra')",
|
||||
"@items('For_each_5')?['name']"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Passive_DNS_results_by_name')?['records']",
|
||||
"runAfter": {
|
||||
"Passive_DNS_results_by_name": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Passive_DNS_results_by_name": {
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['riskiqintelligence']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/v0/pdns/data/ip",
|
||||
"queries": {
|
||||
"ip": "@items('For_each')?['Address']",
|
||||
"lastSeenAfter": "@variables('last30')"
|
||||
}
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_IPs')?['IPs']",
|
||||
"runAfter": {
|
||||
"Initialize_variable": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"For_each_2": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V2)": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"Value": "Last 30-days of unique passive DNS records for @{items('For_each_2')?['Address']}\n@{body('Create_CSV_table')}\nExplore more at https://community.riskiq.com/search/@{items('For_each_2')?['Address']}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_IPs')?['IPs']",
|
||||
"runAfter": {
|
||||
"Create_CSV_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Initialize_variable": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "last30",
|
||||
"type": "string",
|
||||
"value": "@{formatDateTime(addDays(utcNow(), -30), 'yyyy-MM-dd')}"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Initialize_variable_2": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Initialize_variable_2": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "infra",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Alert_-_Get_IPs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
}
|
||||
},
|
||||
"contentVersion": "1.0.0.0",
|
||||
"outputs": {},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/subscribe"
|
||||
},
|
||||
"type": "ApiConnectionWebhook"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"riskiqintelligence": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"connectionName": "[variables('RiskIQConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}]
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# Enrich-SentinelIncident-RiskIQ-Host-Passive-DNS
|
||||
author: Brandon Dixon, RiskIQ
|
||||
|
||||
This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with recent passive DNS records. You need a valid subscription in order to use the connector and playbook. To learn more about the service and request a trial key, see the [API documentation](https://api.riskiq.net/api/concepts.html).
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
|
@ -0,0 +1,243 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
|
||||
"metadata": {
|
||||
"comments": "This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with associated SSL certificates.",
|
||||
"author": "Brandon Dixon, RiskIQ"
|
||||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Recent-IP-SSL-Certificate",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
"defaultValue": "<username>@<domain>",
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"variables": {
|
||||
"AzureSentinelConnectionName": "[concat('azuresentinel-', parameters('PlaybookName'))]",
|
||||
"RiskIQConnectionName": "[concat('riskiqintelligence-', parameters('PlaybookName'))]"
|
||||
},
|
||||
"resources": [{
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('RiskIQConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Web/connections",
|
||||
"apiVersion": "2016-06-01",
|
||||
"name": "[variables('AzureSentinelConnectionName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"properties": {
|
||||
"customParameterValues": {},
|
||||
"api": {
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
}
|
||||
}
|
||||
}, {
|
||||
"type": "Microsoft.Logic/workflows",
|
||||
"apiVersion": "2017-07-01",
|
||||
"name": "[parameters('PlaybookName')]",
|
||||
"location": "[resourceGroup().location]",
|
||||
"tags": {
|
||||
"LogicAppsCategory": "security"
|
||||
},
|
||||
"dependsOn": [
|
||||
"[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]"
|
||||
],
|
||||
"properties": {
|
||||
"state": "Enabled",
|
||||
"definition": {
|
||||
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
|
||||
"actions": {
|
||||
"Alert_-_Get_IPs": {
|
||||
"inputs": {
|
||||
"body": "@triggerBody()?['Entities']",
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "post",
|
||||
"path": "/entities/ip"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
},
|
||||
"Certificate_Holder": {
|
||||
"inputs": {
|
||||
"variables": [
|
||||
{
|
||||
"name": "certs",
|
||||
"type": "array"
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {
|
||||
"Alert_-_Get_IPs": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "InitializeVariable"
|
||||
},
|
||||
"Create_CSV_table": {
|
||||
"inputs": {
|
||||
"columns": [
|
||||
{
|
||||
"header": " ",
|
||||
"value": "@item()"
|
||||
}
|
||||
],
|
||||
"format": "CSV",
|
||||
"from": "@variables('certs')"
|
||||
},
|
||||
"runAfter": {
|
||||
"For_each_ip": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Table"
|
||||
},
|
||||
"For_each_2": {
|
||||
"actions": {
|
||||
"Add_comment_to_incident_(V2)": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"Value": "Associated SSL certificates for @{items('For_each_2')?['Address']}\n@{body('Create_CSV_table')}\nExplore more at https://community.riskiq.com/search/@{items('For_each_2')?['Address']}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "put",
|
||||
"path": "/Comment/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/@{encodeURIComponent('Alert')}/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_IPs')?['IPs']",
|
||||
"runAfter": {
|
||||
"Create_CSV_table": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"For_each_ip": {
|
||||
"actions": {
|
||||
"For_each": {
|
||||
"actions": {
|
||||
"Condition": {
|
||||
"actions": {
|
||||
"Append_to_array_variable": {
|
||||
"inputs": {
|
||||
"name": "certs",
|
||||
"value": "@item()['sha1']"
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "AppendToArrayVariable"
|
||||
}
|
||||
},
|
||||
"expression": {
|
||||
"and": [
|
||||
{
|
||||
"not": {
|
||||
"contains": [
|
||||
"@variables('certs')",
|
||||
"@item()['sha1']"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "If"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Get_SSL_certificates_by_host_name')?['content']",
|
||||
"runAfter": {
|
||||
"Get_SSL_certificates_by_host_name": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
},
|
||||
"Get_SSL_certificates_by_host_name": {
|
||||
"inputs": {
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['riskiqintelligence']['connectionId']"
|
||||
}
|
||||
},
|
||||
"method": "get",
|
||||
"path": "/v1/ssl/cert/host",
|
||||
"queries": {
|
||||
"host": "@items('For_each_ip')?['Address']"
|
||||
}
|
||||
},
|
||||
"runAfter": {},
|
||||
"type": "ApiConnection"
|
||||
}
|
||||
},
|
||||
"foreach": "@body('Alert_-_Get_IPs')?['IPs']",
|
||||
"runAfter": {
|
||||
"Certificate_Holder": [
|
||||
"Succeeded"
|
||||
]
|
||||
},
|
||||
"type": "Foreach"
|
||||
}
|
||||
},
|
||||
"contentVersion": "1.0.0.0",
|
||||
"outputs": {},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"defaultValue": {},
|
||||
"type": "Object"
|
||||
}
|
||||
},
|
||||
"triggers": {
|
||||
"When_a_response_to_an_Azure_Sentinel_alert_is_triggered": {
|
||||
"inputs": {
|
||||
"body": {
|
||||
"callback_url": "@{listCallbackUrl()}"
|
||||
},
|
||||
"host": {
|
||||
"connection": {
|
||||
"name": "@parameters('$connections')['azuresentinel']['connectionId']"
|
||||
}
|
||||
},
|
||||
"path": "/subscribe"
|
||||
},
|
||||
"type": "ApiConnectionWebhook"
|
||||
}
|
||||
}
|
||||
},
|
||||
"parameters": {
|
||||
"$connections": {
|
||||
"value": {
|
||||
"azuresentinel": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
|
||||
"connectionName": "[variables('AzureSentinelConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]"
|
||||
},
|
||||
"riskiqintelligence": {
|
||||
"connectionId": "[resourceId('Microsoft.Web/connections', variables('RiskIQConnectionName'))]",
|
||||
"connectionName": "[variables('RiskIQConnectionName')]",
|
||||
"id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/riskiqintelligence')]"
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}]
|
||||
}
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# Enrich-SentinelIncident-RiskIQ-IP-SSL-Certificate
|
||||
author: Brandon Dixon, RiskIQ
|
||||
|
||||
This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel with SSL certificates. You need a valid subscription in order to use the connector and playbook. To learn more about the service and request a trial key, see the [API documentation](https://api.riskiq.net/api/concepts.html).
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Host-Enrichment",
|
||||
"defaultValue": "Summary-Host-Enrichment",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# Enrich-SentinelIncident-RiskIQ-Host
|
||||
# Enrich-SentinelIncident-RiskIQ-Summary-Host
|
||||
author: Brandon Dixon, RiskIQ
|
||||
|
||||
This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel for domains/hosts. You need a valid subscription in order to use the connector and playbook. To learn more about the service and request a trial key, see the [API documentation](https://api.riskiq.net/api/concepts.html).
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "IP-Enrichment",
|
||||
"defaultValue": "Summary-IP-Enrichment",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
# Enrich-SentinelIncident-RiskIQ-IP
|
||||
# Enrich-SentinelIncident-RiskIQ-Summary-IP
|
||||
author: Brandon Dixon, RiskIQ
|
||||
|
||||
This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel for IP addresses. You need a valid subscription in order to use the connector and playbook. To learn more about the service and request a trial key, see the [API documentation](https://api.riskiq.net/api/concepts.html).
|
||||
|
|
@ -6,7 +6,7 @@
|
|||
},
|
||||
"parameters": {
|
||||
"PlaybookName": {
|
||||
"defaultValue": "Full-Enrichment",
|
||||
"defaultValue": "Summary-Enrichment",
|
||||
"type": "string"
|
||||
},
|
||||
"UserName": {
|
||||
|
|
@ -0,0 +1,11 @@
|
|||
# Enrich-SentinelIncident-RiskIQ-Summary
|
||||
author: Brandon Dixon, RiskIQ
|
||||
|
||||
This playbook uses the RiskIQ Intelligence connector to automatically enrich incidents generated by Sentinel. You need a valid subscription in order to use the connector and playbook. To learn more about the service and request a trial key, see the [API documentation](https://api.riskiq.net/api/concepts.html).
|
||||
|
||||
<a href="https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://aka.ms/deploytoazurebutton""/>
|
||||
</a>
|
||||
<a href="https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FSend-UrlReport%2Fazuredeploy.json" target="_blank">
|
||||
<img src="https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/1-CONTRIBUTION-GUIDE/images/deploytoazuregov.png"/>
|
||||
</a>
|
||||
Загрузка…
Ссылка в новой задаче